Five tips for a successful zero trust journey

The beginning of a journey: Why Swisscom chose zero trust for the future of its security

In our ecosystem, we sometimes hear that security is a journey, not a destination. Sooner or later, we realize that perfect cybersecurity can never be achieved. However, it’s still important to aim for it, as the true way to enhance security is through experiences. As the head of security architecture at Swisscom, I am not only responsible for today’s security architecture, but also for what it will look like in 5 to 10 years. That’s why this journey towards a long-term security strategy is very important to me.

Four years ago, we came to the conclusion that tomorrow’s risks could not be managed by today’s technology, so we needed to build a new architecture. As the largest telecommunications company in Switzerland, Swisscom falls into the category of critical infrastructures and must take the required measures to prevent disruptions that could be caused by cyberattacks. Considering our complex technological infrastructure, security needs, customer requirements and policies, we decided that zero trust was the future.

We knew that it would be a very bumpy road with a lot of time, money and resources invested, but this is the kind of long-term project that I love because they change things fundamentally. I would like to share a few tips from what I learned during this journey.

Tip #1

You must have a highly motivated core team

The first element to consider when starting your zero trust journey is building a highly motivated team. Changing the way your organization approaches security is a long and difficult process. It is therefore essential to have the right sponsors to implement this transition. But how to identify the right people? The team needs to believe in the approach, constantly learn about zero trust and be able to convince others that it is the right path for the organization.

At Swisscom, we started the journey with five people who were convinced that zero trust was the way to go. One of the biggest challenges is to explain and mobilize everyone involved in this transition — such as product owners, project managers and executives, since everyone must be involved for a successful transition.

Educating the core team was key to having a deep understanding of what zero trust is all about and, through conferences and discussions with vendors, being able to demonstrate the benefits of such a transition to all relevant stakeholders.

Tip #2

Understand what zero trust really means

There is a lot of hype around zero trust, a buzzword that many software vendors are promoting. However, not everyone has the same definition of the concept. Educating yourself what zero trust network access (ZTNA), identity-based segmentation and service mesh will help you understand what to expect. There are many books out there worth reading. This will definitely help you once you start working with vendors to pursue your zero trust journey. While collaborating with them, it is important to understand their approach to zero trust. Not all vendors define zero trust the same way. Finding a vendor that really has implemented zero trust capabilities is the first step of the collaboration.

At Swisscom, zero trust has been part of our mindset for a very long time. We have been through several different phases and our implementation throughout the organization is still ongoing.

1) First steps towards zero trust: We started our zero trust journey on a small scale. 2018, we started by implementing one service on a network layer, followed by zero trust network access (ZTNA) components in our workplace (BYOD, workplace for customers, managed workplace, etc.). Some applications already had zero trust access methodology embedded, which made the implementation and education easier.

2) Embracing zero trust more broadly: More than a year ago, we launched educational sessions in Swisscom to enhance and deepen the know-how of our employees focusing on both zero trust network access and service mesh. This program has helped our employees better understand our definition and views on the concept and talk about zero trust in the same manner.

3) ZT journey: To vendors, zero trust may be a product, but for cybersecurity professionals, it is a mindset. At Swisscom, the implementation is not yet complete and it will still take us three to five more years to reach a satisfactory level of maturity. We are working in a very large environment with complex IT and cloud infrastructure, access to public clouds, but also legacy systems in the IT and telecommunication infrastructure.

Tip #3

Incorporate zero trust into your processes from the start

Zero trust is not just security products that you can easily install in your infrastructure. To implement it successfully, you will have to redesign application access and completely rethink how you implement security policies across all your business and technology units. The most important element is to get a deep understanding of your structure, which is critical when it comes to complex environments like our networks. This way, you can determine how to better secure them and how to add zero trust by design in upcoming developments.

In every development process, we now have a “built-in security” initiative. Whenever we build something, security requirements must be considered by design. The scope is highly scrutinized and security requirements are defined by the team. For instance, we ask ourselves and our customers if there are any special regulations that we should take into account, or if the data we are handling is sensitive. Then, each product and development team has at least one security professional (a “security champion”) who is responsible to keep security top-of-mind for the project.

All developers and engineers are being trained to build secure products, which leads me to my next tip …

Tip #4

Education is key

One of the most important steps in the zero trust journey is to have a clear view on what it is and what it means for the future of your company and its security. To accomplish that, education must be the foundation. It is not just about understanding the technical and technological units, but also about redesigning enforcement points, communication between application components, application access, and changing the mindset — for example, in terms of access allowance management. The zero trust path is very long and requires many resources. Therefore, it is crucial to be educated on this topic to motivate everyone to become a part of this journey.

By educating, we learn to be aligned as a team and move together on this long journey, so that everyone is equally involved, interested and willing to share all the resources that are needed.

Tip #5

Start small and take time

In a big company like Swisscom, the process of zero trust implementation requires changing more than 1,000 application deployments, including access control policies and security architecture. All changes need to be approved by the application managers, so they must be on-board. We see this as a combination of awareness and financial challenges. Although the zero trust journey takes a lot of resources, one of the most important ones is time. Be ready for any such project to take years to be fully implemented.

This is why we started the implementation by setting up small pilot groups to run and test how zero trust works for us. We learned a lot from user feedback and were able to fine-tune our processes progressively. Besides that, these pilots also helped us create training sessions craft FAQs and develop chatbots to help answer user questions. Although they are only based on a narrow working environment, our pilots have shown that zero trust does not have a negative impact on the user experience or vulnerability management.

The result? We are saving time in most of our development processes and are able to rationalize them. Developers that previously viewed security as a burden now understand its importance in their job. With service mesh we are transitioning towards “security as code”, completely automating security enforcement. A huge leap forward compared to asking operational teams to configure dozens of firewalls with hundreds of rules for each developer request in the past. This makes the overall process much faster and more efficient as human interventions and errors are avoided.

My key takeaways

While the adoption of zero trust network access did pay off immediately, the complete overhaul of our security architecture towards a perimeter-less zero trust approach will take much longer. We are confident that adopting zero trust will have tremendous positive impact on the long run. We know that the process will still take a lot of time, but we are very satisfied with having implemented this new approach. Zero trust is becoming an important differentiator, both internally and for our customers.

Finally, remember, that the most important step in a zero trust transformation has nothing to do with technology. Rather, it’s about understanding, learning and taking the right decisions for the future.

Share this article

About the author

Panos Zarkadakis

Panos Zarkadakis

Head of Security Architecture, Swisscom

Panos works for more than ten years at Swisscom, the largest Swiss ICT provider. He is responsible for Swisscom’s security architecture, a key critical infrastructure in Switzerland. In his more than 30 years of professional experience, he has worked in a wide variety of industries, including banks, government and insurance companies. In addition to his studies in computer science and information security, he completed his management training at MIT in Boston.

His passion lies in the interaction between people and technology in order to create more security and reliability for citizens and customers in the digital world.

Follow or contact Panos